diff options
author | kris <kris@FreeBSD.org> | 2001-08-30 09:26:54 +0000 |
---|---|---|
committer | kris <kris@FreeBSD.org> | 2001-08-30 09:26:54 +0000 |
commit | 072b9ce451acaee2a7ece2617367d3c3a59caa47 (patch) | |
tree | 31b9d11cd2096980c3a849bb2cc02c571fd7f819 /usr.sbin/lpr | |
parent | c4f33518b627fb166603d8bc4b0e3f73feb18df2 (diff) | |
download | FreeBSD-src-072b9ce451acaee2a7ece2617367d3c3a59caa47.zip FreeBSD-src-072b9ce451acaee2a7ece2617367d3c3a59caa47.tar.gz |
Fix buffer overflow in queue file handling.
Submitted by: millert@openbsd.org, gad
Reported by: X-Force <xforce@iss.net>
Diffstat (limited to 'usr.sbin/lpr')
-rw-r--r-- | usr.sbin/lpr/common_source/displayq.c | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/usr.sbin/lpr/common_source/displayq.c b/usr.sbin/lpr/common_source/displayq.c index 7727306..f7e61d8 100644 --- a/usr.sbin/lpr/common_source/displayq.c +++ b/usr.sbin/lpr/common_source/displayq.c @@ -73,8 +73,8 @@ static const char rcsid[] = extern uid_t uid, euid; static int col; /* column on screen */ -static char current[40]; /* current file being printed */ -static char file[132]; /* print file name */ +static char current[MAXNAMLEN+1]; /* current file being printed */ +static char file[MAXNAMLEN+1]; /* print file name */ static int first; /* first file in ``files'' column? */ static int garbage; /* # of garbage cf files */ static int lflag; /* long output option */ @@ -95,7 +95,7 @@ displayq(struct printer *pp, int format) { register struct jobqueue *q; register int i, nitems, fd, ret; - register char *cp; + char *cp, *endp; struct jobqueue **queue; struct stat statb; FILE *fp; @@ -156,8 +156,11 @@ displayq(struct printer *pp, int format) else { /* get daemon pid */ cp = current; - while ((i = getc(fp)) != EOF && i != '\n') - *cp++ = i; + endp = cp + sizeof(current) - 1; + while ((i = getc(fp)) != EOF && i != '\n') { + if (cp < endp) + *cp++ = i; + } *cp = '\0'; i = atoi(current); if (i <= 0) { @@ -172,8 +175,11 @@ displayq(struct printer *pp, int format) } else { /* read current file name */ cp = current; - while ((i = getc(fp)) != EOF && i != '\n') - *cp++ = i; + endp = cp + sizeof(current) - 1; + while ((i = getc(fp)) != EOF && i != '\n') { + if (cp < endp) + *cp++ = i; + } *cp = '\0'; /* * Print the status file. |